Google warning: is your site abused through
Google recently wrote in one of its official blogs that it
is possible for spammers to take advantage of your website
without ever setting a virtual foot in your server. Spammers
can do this by abusing open redirects.
What are open redirects?
Many websites use links that redirect their website visitors
to another page. Some redirects are left open to any arbitrary
destination. These redirects can be abused by spammers to
trick web surfers and search engines into following links
that seem to be pointing to your website although they redirect
to a spammy website.
That means that people who think that they visit your website
will be redirected to highly questionable web pages that might
contain adult content, viruses, malware or phishing attempts.
Which redirects on your website could be abused?
Spammers are very inventive. According to Google, they have
managed to use the redirect spam on a wide range of websites,
including the websites of large well-known companies and the
websites of small local government agencies.
For example, the following redirection types can be abused:
Scripts that redirect users to a file on the server can be
abused by spammers. The links on your website could look like
Site search result pages with automatic redirect options.
If the result pages of your internal site search feature contain
an URL variable that sends your website visitors to other
pages, spammers might be able to exploit them:
Affiliate tracking links. Affiliate tracking links often allow
people to direct website visitors to other pages. Spammers
might enter their own URLs in the tracking links. Example:
Proxy pages. Proxy sites send people through to other websites
and they can be abused by spammers:
Interstitial pages. Some websites show an interstitial page
when users leave a website to let users know that the information
found on the link is not under their control. These URLs usually
look like this:
How to find out if your website is abused
Even if you find none of the URLs above on your website,
your site still may have open redirects. Do the following
to check if your website is abused by spammers:
Make a site search on Google
Go to Google.com and search for "site:yourdomain.com".
Replace yourdomain.com with your own domain name. If you see
web pages that have nothing to do with your website then it's
likely that someone exploits a security hole on your website.
Check your web server logs for URL parameters like "=http:"
or "=//". If your redirection URLs get a lot of
traffic, this could also be caused by spammers.
If you get user complaints about content or malware that you
know cannot be found on your website then your website users
might have seen your URL before they were redirected to the
What you can do to protect your website
It's not easy to to make sure that your redirects aren't
exploited. The reason for that is that an open redirect is
not a bug or a security flaw. There are some things that you
can do to protect your website:
Check the referrer. Your redirect scripts should only work
if they area accessed from another web page of your website.
The redirect script should not work if the user accesses the
script directly or from a search engine.
If possible, make sure that the script can only redirect to
web pages and files that are on your own websites. You could
use a whitelist of allowed destination domains.
Use the robots.txt file of your website to exclude search
engines from the redirect scripts on your website. That will
make your website less attractive for hackers.
Add a signature or a checksum to your redirect links so that
only you can use the script.
Open redirect abuse is a big issue for Google right now. If
you secure your scripts, spammers will move over to other
websites and leave your website alone.